From cb5d4e0ef7375d3f1994eb41b30ba04147e748a4 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 18 Dec 2024 14:15:15 +0100 Subject: [PATCH] Bug fixes 2.x pr devel 2.x (#2149) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Changing-aws-acl-when-statement (#2063) Co-authored-by: Matej Stajduhar * R71127 r71052 check pr 2.x (#2073) * r71127-r71052-attemt-to-workaround-elb-module-change-or-bug * debug alb issue * revert changes as the bug is outside of ce-provision https://github.com/ansible-collections/amazon.aws/issues/2376 * Newer aws collection test pr 2.x (#2077) * newer_aws_collection_test * 8.2.1 didnt work, back to 8.0.1 * r71171-efs-client-upgrade (#2079) * Turning-off-ami-cleanup-task (#2083) Co-authored-by: Matej Stajduhar * Changing subnet for rds pr 2.x (#2087) * Changing-subnet-for-RDS * Uncommenting-tasks --------- Co-authored-by: Matej Stajduhar * fix(debian/duplicity): Fix missing compilation dependencies (#2029) * fix(php-fpm): Set a good process children default for bigger servers (#1895) * fix(php-fpm): Set a good process children default for bigger servers * Fix min max logic * formatting * Fixing-RDS-backup-validation (#2089) Co-authored-by: Matej Stajduhar * Updating-postfix-default-transport-maps (#2092) * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Updated lambda backup validation reporting pr 2.x (#2099) * Updated-lambda-backup-validation-reporting * Updating-docs * Updating-lambda-handler * Adding-region-to-cloudwatch-task * Trimming-version-number-from-lambda * Fixing-text-manipulation * Updating-arn-for-cloudwatch-task --------- Co-authored-by: Matej Stajduhar * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Bug fixes 2.x pr 2.x (#2096) * Improving AWS subnet docs. * Error in timers structure in the SSL role. * Removing obsolete backports requirements. * Allow the billing role to access Sustainability information. * Missing comma in IAM billing policy. * Removing broken GitLab Runner code. * Fixed the include_role task in gitlab_runner. * Suppressing a failure if there is no system pip to call. * Logic error in Ansible installer username, needs to be set from calling role. * ansible_user is a reserved variable, seems to be causing issues. * _ansible_ANYTHING is reserved, using _install_username instead. * python_boto role also needs the username set in the calling role. * Updating python_boto docs. * Making profile.d loading more robust. * Also pip removing ansible-core and trying with pip and pip3 to cover all bases. * Updating bad AWS SG role var namespacing in other roles. * Refactoring how we handle python3-pip. * Allow passing in of the Python interpreter to Ansible. * Updating the packages server for CE. * Installing Ansible in a venv on all machines. * Changing common_base format for readability. * No need to specify Python to the point release. * Docs update. * Fixing LDAP SSL to use systemd timer. * Allowing different systemd timer names for different Ansible installs. * Fixing dynamic key name in ansible role. * Trying to debug missing timer_command var. * Treating the timer string so it becomes a dict. * Moving default log location for clamav. * Updating ClamAV docs. * Grouping systemd timer tasks together. * Exposing ce-provision version in build output. * Wrong variable in meta role for controller username. * Removing any reference to _aws variables in debian role defaults. * Setting more sane ASG defaults. * Making ClamAV timers a list so they can be entirely replaced. * Spacing fix for linting. * Renaming npm module. * Removing NGINX installation as part of phpMyAdmin role by default. * Fixing Varnish handler names. * Excluding name[casing] rule from linting due to false positives. * Put rule in wrong place! * Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC. * Capturing lock file limitations in comment. * Updating documentation for LE. * Using pip to install certbot plugins. * Updating README docs. * Docs error corrected. * Working around deprecated SSH algorithms. * Upgrading SSH key type standard for controller and deploy users. * Adding SCP args for legacy mode needed by Packer. * Adding an extra when clause to ACM SAN cert check. * Trying different approach to ACM SAN cert check. * Removing /bin/which from rkhunter defaults, it isn't present in Debian 11. * RDS param group module has changed name. * Adding passlib to libraries installed for ce-provision. * Adding in valid path for 'which' to rkhunter. * Catching up documentation. * Catching up documentation. * Making user creation optional and home directories a variable. * Missed passing new home var to task. * Fixing firewall.bash deletion issues. * Getting rid of accidental extra braces. * Simplifying usernames so you only need to set one var. * Docs update and making Ansible installation via _init an option. * Variable path error. * Updating linter ignore paths. * Making the NGINX test result var private. * Documentation update. * Fixing role dependency in NGINX role. * Adding installation path handling for Galaxy collections. * Removing -p option due to unexpected ill effects for role paths. * Moving X-Content-Type-Options header to project type templates. * Adding some inline documentation. * Fixing Postfix template to allow external relays. * Adding a FQDN postfix transport map. * Updating CI to 2.x. * Defending against missing Ansible. * Making the ce-provision-config branch in CI dynamic. * We do not want a 'ce-dev provision' because it breaks our controller. * Reverting 'ce-dev provision' change. * Trying a different ansible_facts var. * Testing using the source branch in ce-dev. * Setting max_childen to an integer to avoid CI issues. * Trying to change the python interpreter used. * Adding platform and cgroup values to ce-dev compose template. * Trying latest ubuntu containers in GitHub Actions. * Fixing the test.sh script to work with venvs. * Documentation for PHP in CI. * Adding GitLab test back in. * Fixing role namespaces. * Avoiding-backup-restoration-for-dev-env (#2108) Co-authored-by: Matej Stajduhar * Updating-nodejs-to-nodistro (#2094) * Updating-nodejs-to-nodistro * Fixing-nodejs-unattended-upgrades * r71344-Updating-aws-acl-role (#2111) Co-authored-by: Matej Stajduhar * r71344-Updating-aws-acl-role (#2112) * r71344-Updating-aws-acl-role * Adding-option-to-avoid-recreating-ACLs * Updating-aws-acl-vars * Updating-aws-acl-vars-2 --------- Co-authored-by: Matej Stajduhar * Fixing-non-utf8-item (#2116) Co-authored-by: Matej Stajduhar * Fixing non utf8 item pr 2.x (#2117) * Fixing-non-utf8-item * Changing-var-name-for-when-condition --------- Co-authored-by: Matej Stajduhar * Minor bug fixes to ce-provision installer. * Testing installing ce-provision in the GitHub Actions container directly. * Using the submitted install script as well. * Trying as runner user. * Trying to use the ce-dev base container. * Fixing-utf8 (#2129) * Fixing utf8-2.x (#2131) * Fixing-utf8 * Adding-debug * Changing-lambda-creation-from-tip-file-to-s3 (#2122) * Changing-lambda-creation-from-tip-file-to-s3 * Fixing-syntax-error * indentation-fix * Finishing-backup-valdation-role --------- Co-authored-by: Matej Stajduhar * Updating email notification title pr 2.x (#2140) * Updating-email-notification-title * Resolving-conflicts * Resolving-conflicts-2 --------- Co-authored-by: Matej Stajduhar * Adding-defaults-to-max-children (#2141) * Adding defaults to max children pr 2.x (#2144) * Adding-defaults-to-max-children * Updating-max-children * Updating-php-defaults (#2145) * Updating php defaults pr 2.x (#2147) * Updating-php-defaults * Updating-php-defaults * Updating-php-defaults * Updating key name. * Suppressing systemd actions in Docker. * Seems Ansible flags have changed. * Still trying to get --extra-vars right! * Catching Ansible Galaxy upgrade timers for docker containers. * Trying to force --roles-path for Galaxy. * Trying different quotes. * Missed a line. * Trying a different approach to passing vars. * Adding some debug. * Running ce-python debug first. * Trying moving to the ce-provision directory. * Checking the specific path to galaxy roles in ce-provision. * Trying as controller user again. * Trying to make the roles dir. * Being consistent about paths in bash. * Removing debug lines for now. * Allowing script to skip iptables. * Misnamed flag. * Adding user_provision role to configure controller user. * Wrapping cleanup so it doesn't break GitHub Actions. * Completing variables for user_provisin. * Missed the sudoers var. * Quoting vars. * GitLab installer needs _domain_name. * Logic error in clean-up script. * Fixing paths to ce-provision in container. * Trying to fix CI perms issues. * Git dubious ownership error. * Git dubious ownership error. * Running the web server test as the controller user. * Missed a controller var. * Commenting out the CE container to test. * Adding a separate step for Git actions. * Need sudo for Ubuntu. * efs_version_fix_for_old_debian_workaround (#2151) * Using a volume to persist data between steps. * Adding debug commands to test volumes. * Tweaking volumes. * Adding the checkout command back in. * Trying a different approach. * ls command looks good, so putting web build back in. * More Ansible Galaxy debug. * Trying to make ansible-galaxy detect installed roles. * Run galaxy command as controller. * Trying galaxy command and cd wrapped in su. * Specifically checking the contents of galaxy/roles. * Trying a double-tap install process. * Quick refactor and debug of SSH. * Adding OpenSSH server package. * Checking for a firewall. * Checking listening packages. * Starting SSHD especially. * Starting SSHD without systemd. * Pre-empting config a bit more. * More galaxy path debug. * fix(duplicity): Fix file name of include/exclude list (#2152) * Running a find to see if we can find the missing roles. * More verbosity. * Checking for missing requirements file. * Removing eroneous when clause. * Tidying up redundant debug lines. * Creating a separate ci.yml play targeting localhost. * Making sure sshd is running. * Tidying up GitLab CI file and installing SSHD. * Installing SSHD as a separate step. * SSHD already installed, starting it instead. * Don't create systemd timers in containers. * Preparing a test GitLab build. * Making builds nightly and fixing GitLab role bug. * Ensuring is_local var exists and making lock behaviour optional. * Fixing location and owner of Blackfire config so it is configurable. * Documentation update. * Removing all is defined checks for is_local since it is now always defined. * Letting GitLab know it's on Docker earlier. * Trying to run runsvdir-start to avoid container freezing. * Temporarily skipping reconfigure of GitLab to test the rest. * Trying to move GitLab reconfigure commands to CI. * Fixing service namespace for runner and reinstating GitLab tasks. * Trying to get config script working for GitLab in CI. * No systemd, do not try to restart gitlab-runner. * Removing firewall role from CI GitLab test, don't need it and it breaks CI. * Outputting PostGreSQL logs to see if there are errors. * Outputting PostGreSQL logs to see if there are errors. * Trying the config script for GitLab again. * Suppressing extra GitLab config for CI runs. * Setting Blackfire CLI defaults to use ce-dev user. --------- Co-authored-by: Matej Å tajduhar <30931414+matej5@users.noreply.github.com> Co-authored-by: Matej Stajduhar Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Co-authored-by: Klaus Purer Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com> --- .../workflows/ce-provision-test-gitlab.yml | 54 +++++++-------- .github/workflows/ce-provision-test-web.yml | 56 ++++++---------- ce-dev/ansible/plays/gitlab/ci.yml | 37 ++++++++++ ce-dev/ansible/plays/web/ci.yml | 22 ++++++ ce-dev/ansible/vars/gitlab/gitlab_runner.yml | 2 + docs/roles/_init.md | 9 ++- docs/roles/debian/aws_efs_client.md | 2 +- docs/roles/debian/ce_deploy.md | 2 +- docs/roles/debian/gitlab.md | 1 + docs/roles/debian/php-fpm.md | 2 +- install.sh | 67 ++++++++++++++++--- roles/_exit/tasks/main.yml | 1 + roles/_init/README.md | 9 ++- roles/_init/defaults/main.yml | 9 ++- roles/_init/tasks/main.yml | 6 +- roles/debian/ansible_galaxy/tasks/main.yml | 1 - roles/debian/apt_repository/tasks/main.yml | 1 + roles/debian/aws_efs_client/README.md | 2 +- roles/debian/ce_deploy/README.md | 2 +- roles/debian/ce_deploy/defaults/main.yml | 2 +- roles/debian/duplicity/tasks/main.yml | 2 +- roles/debian/gitlab/README.md | 1 + roles/debian/gitlab/defaults/main.yml | 1 + roles/debian/gitlab/tasks/main.yml | 29 ++++---- .../gitlab/templates/gitlab-config.rb.j2 | 4 -- roles/debian/gitlab_runner/tasks/main.yml | 2 +- roles/debian/jitsi/tasks/main.yml | 2 +- roles/debian/locales/tasks/main.yml | 2 +- .../mysql_server_mariadb/tasks/main.yml | 4 +- .../mysql_server_oracle_ce/tasks/main.yml | 4 +- roles/debian/nginx/templates/drupal10.j2 | 2 +- roles/debian/nginx/templates/drupal_common.j2 | 2 +- roles/debian/nginx/templates/mautic.j2 | 2 +- roles/debian/php-fpm/README.md | 2 +- roles/debian/php_blackfire/defaults/main.yml | 2 + roles/debian/php_blackfire/tasks/main.yml | 8 +-- roles/debian/postfix/tasks/main.yml | 7 +- roles/debian/postfix/templates/main.cf.j2 | 2 +- roles/debian/user_deploy/defaults/main.yml | 2 +- roles/debian/user_provision/defaults/main.yml | 2 +- 40 files changed, 232 insertions(+), 137 deletions(-) create mode 100644 ce-dev/ansible/plays/gitlab/ci.yml create mode 100644 ce-dev/ansible/plays/web/ci.yml create mode 100644 ce-dev/ansible/vars/gitlab/gitlab_runner.yml diff --git a/.github/workflows/ce-provision-test-gitlab.yml b/.github/workflows/ce-provision-test-gitlab.yml index 4d7f226d9..bd50e7233 100644 --- a/.github/workflows/ce-provision-test-gitlab.yml +++ b/.github/workflows/ce-provision-test-gitlab.yml @@ -1,42 +1,42 @@ name: Run GitLab server test build -# Run this workflow every time a new commit pushed to your repository -on: pull_request +# Run this workflow nightly and every time a new commit pushed to your repository +on: + schedule: + - cron: '30 4 * * *' + pull_request: jobs: # Set the job key. The key is displayed as the job name # when a job name is not provided test-gitlab: + if: ${{ github.event.pull_request.head.ref != 'documentation' }} # Name the Job - name: Run tests against Ansible code base + name: Build a GitLab server with ce-provision # Set the type of machine to run on runs-on: ubuntu-latest - steps: - # Checks out a copy of your repository on the ubuntu-latest machine - - name: Checkout code - if: ${{ github.event.pull_request.head.ref != 'documentation' }} - uses: actions/checkout@v2 + # Use our ce-dev Debian base container + container: + image: codeenigma/ce-dev:2.x + volumes: + - ${{ github.workspace }}:/home/controller - # Installs the ce-dev stack - - name: Install ce-dev - if: ${{ github.event.pull_request.head.ref != 'documentation' }} + steps: + - name: Install ce-provision run: | - cd /tmp - wget https://golang.org/dl/go1.15.8.linux-amd64.tar.gz - sudo tar -C /usr/local -xzf go1.15.8.linux-amd64.tar.gz - export PATH=$PATH:/usr/local/go/bin - git clone https://github.com/FiloSottile/mkcert && cd mkcert - go build -ldflags "-X main.Version=$(git describe --tags)" - sudo mv ./mkcert /usr/local/bin && cd ../ - sudo chmod +x /usr/local/bin/mkcert - rm -Rf mkcert - curl -sL https://raw.githubusercontent.com/codeenigma/ce-dev/${{ github.event.pull_request.base.ref }}/install.sh | /bin/sh -s -- --platform linux + /usr/bin/curl -LO https://raw.githubusercontent.com/codeenigma/ce-provision/${{ github.event.pull_request.head.ref }}/install.sh + /usr/bin/chmod +x ./install.sh + /usr/bin/sudo ./install.sh --version ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --docker --no-firewall - # Uses the ce-dev stack to run a test provision - - name: Run a test provision - if: ${{ github.event.pull_request.head.ref != 'documentation' }} + # Run a GitLab server provision + - name: Prepare Git repos on disk run: | - git clone --branch ${{ github.event.pull_request.base.ref }} https://github.com/codeenigma/ce-dev-ce-provision-config.git config - /bin/bash ce-dev/ansible/test.sh --examples gitlab --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} - shell: bash + /usr/bin/git config --global --add safe.directory /home/controller/ce-provision + /usr/bin/git config --global --add safe.directory /home/controller/ce-provision/config + + - name: Start SSHD + run: /usr/sbin/sshd& + + - name: Provision a test GitLab server + run: /usr/bin/su - controller -c "cd /home/controller/ce-provision && /bin/sh /home/controller/ce-provision/scripts/provision.sh --python-interpreter /home/controller/ce-python/bin/python3 --repo dummy --branch dummy --workspace /home/controller/ce-provision/ce-dev/ansible --playbook plays/gitlab/ci.yml --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --force" diff --git a/.github/workflows/ce-provision-test-web.yml b/.github/workflows/ce-provision-test-web.yml index 9b1c15b32..54421cd40 100644 --- a/.github/workflows/ce-provision-test-web.yml +++ b/.github/workflows/ce-provision-test-web.yml @@ -1,60 +1,42 @@ name: Run web server test build -# Run this workflow every time a new commit pushed to your repository -on: pull_request +# Run this workflow nightly and every time a new commit pushed to your repository +on: + schedule: + - cron: '30 4 * * *' + pull_request: jobs: # Set the job key. The key is displayed as the job name # when a job name is not provided test-web: + if: ${{ github.event.pull_request.head.ref != 'documentation' }} # Name the Job - name: Run tests against Ansible code base + name: Build a web server with ce-provision # Set the type of machine to run on runs-on: ubuntu-latest # Use our ce-dev Debian base container container: image: codeenigma/ce-dev:2.x + volumes: + - ${{ github.workspace }}:/home/controller steps: - # Checks out a copy of your repository on the ubuntu-latest machine - #- name: Checkout code - # if: ${{ github.event.pull_request.head.ref != 'documentation' }} - # uses: actions/checkout@v2 - - # Installs ce-provision - name: Install ce-provision - if: ${{ github.event.pull_request.head.ref != 'documentation' }} run: | - curl -LO https://raw.githubusercontent.com/codeenigma/ce-provision/${{ github.event.pull_request.head.ref }}/install.sh - chmod +x ./install.sh - sudo ./install.sh --version ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --docker + /usr/bin/curl -LO https://raw.githubusercontent.com/codeenigma/ce-provision/${{ github.event.pull_request.head.ref }}/install.sh + /usr/bin/chmod +x ./install.sh + /usr/bin/sudo ./install.sh --version ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --docker --no-firewall # Run a web server provision - - name: Provision a test web server - if: ${{ github.event.pull_request.head.ref != 'documentation' }} + - name: Prepare Git repos on disk run: | - /bin/sh /home/runner/ce-provision/scripts/provision.sh --python-interpreter /home/runner/ce-python/bin/python3 --repo dummy --branch dummy --workspace /home/runner/ce-provision/ce-dev/ansible --playbook plays/web/web.yml --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --force + /usr/bin/git config --global --add safe.directory /home/controller/ce-provision + /usr/bin/git config --global --add safe.directory /home/controller/ce-provision/config - # Installs the ce-dev stack - #- name: Install ce-dev - # if: ${{ github.event.pull_request.head.ref != 'documentation' }} - # run: | - # cd /tmp - # wget https://golang.org/dl/go1.15.8.linux-amd64.tar.gz - # sudo tar -C /usr/local -xzf go1.15.8.linux-amd64.tar.gz - # export PATH=$PATH:/usr/local/go/bin - # git clone https://github.com/FiloSottile/mkcert && cd mkcert - # go build -ldflags "-X main.Version=$(git describe --tags)" - # sudo mv ./mkcert /usr/local/bin && cd ../ - # sudo chmod +x /usr/local/bin/mkcert - # rm -Rf mkcert - # curl -sL https://raw.githubusercontent.com/codeenigma/ce-dev/${{ github.event.pull_request.base.ref }}/install.sh | /bin/sh -s -- --platform linux + - name: Start SSHD + run: /usr/sbin/sshd& - # Uses the ce-dev stack to run a test provision - #- name: Run a test provision - # if: ${{ github.event.pull_request.head.ref != 'documentation' }} - # run: | - # git clone --branch ${{ github.event.pull_request.base.ref }} https://github.com/codeenigma/ce-dev-ce-provision-config.git config - # /bin/bash ce-dev/ansible/test.sh --examples web --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} - # shell: bash + - name: Provision a test web server + run: /usr/bin/su - controller -c "cd /home/controller/ce-provision && /bin/sh /home/controller/ce-provision/scripts/provision.sh --python-interpreter /home/controller/ce-python/bin/python3 --repo dummy --branch dummy --workspace /home/controller/ce-provision/ce-dev/ansible --playbook plays/web/ci.yml --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --force" diff --git a/ce-dev/ansible/plays/gitlab/ci.yml b/ce-dev/ansible/plays/gitlab/ci.yml new file mode 100644 index 000000000..eb61f611f --- /dev/null +++ b/ce-dev/ansible/plays/gitlab/ci.yml @@ -0,0 +1,37 @@ +--- +- hosts: localhost + become: true + + vars: + project_name: gitlab + is_local: true + _ce_provision_base_dir: /home/ce-dev/ce-provision + _init: + force_play: true + vars_dirs: + - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/_common" + - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/{{ project_name }}" + + tasks: + - ansible.builtin.import_role: + name: _init + - ansible.builtin.import_role: + name: debian/user_provision + - ansible.builtin.import_role: + name: _meta/common_base + - ansible.builtin.import_role: + name: debian/ce_deploy + - ansible.builtin.import_role: + name: aws/aws_credentials + - ansible.builtin.import_role: + name: debian/gitlab + - ansible.builtin.import_role: + name: debian/gitlab_runner + - ansible.builtin.import_role: + name: debian/ssh_server + - ansible.builtin.import_role: + name: debian/sops + - ansible.builtin.import_role: + name: debian/gpg_key + - ansible.builtin.import_role: + name: _exit diff --git a/ce-dev/ansible/plays/web/ci.yml b/ce-dev/ansible/plays/web/ci.yml new file mode 100644 index 000000000..94bd2f49f --- /dev/null +++ b/ce-dev/ansible/plays/web/ci.yml @@ -0,0 +1,22 @@ +--- +# Spin up a "web" instance. +- hosts: localhost + become: true + + vars: + project_name: web + is_local: true + _ce_provision_base_dir: /home/ce-dev/ce-provision + _init: + force_play: true + vars_dirs: + - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/_common" + - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/{{ project_name }}" + + tasks: + - ansible.builtin.import_role: + name: _init + - ansible.builtin.import_role: + name: _meta/webserver + - ansible.builtin.import_role: + name: _exit diff --git a/ce-dev/ansible/vars/gitlab/gitlab_runner.yml b/ce-dev/ansible/vars/gitlab/gitlab_runner.yml new file mode 100644 index 000000000..721b65ab0 --- /dev/null +++ b/ce-dev/ansible/vars/gitlab/gitlab_runner.yml @@ -0,0 +1,2 @@ +gitlab_runner: + restart: false # no systemd in CI containers diff --git a/docs/roles/_init.md b/docs/roles/_init.md index 0f40180e3..e619e5656 100644 --- a/docs/roles/_init.md +++ b/docs/roles/_init.md @@ -9,7 +9,10 @@ This is meant to ALWAYS be included as the first task of a play. If you include ## Default variables ```yaml --- -_ce_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" +# Set this variable to true to tell ce-provision it is running in a container. +is_local: false + +_ce_provision_username: "{% if is_local %}ce-dev{% else %}controller{% endif %}" _venv_path: "/home/{{ _ce_provision_username }}/ce-python" _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" @@ -25,8 +28,8 @@ _init: # This is used to detect if the playbook must re-run or not. vars_dirs: [] force_play: false - lock_file: /tmp/ce-provision-lock - deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy + lock_file: /tmp/ce-provision-lock # set to an empty string to disable locking behaviour + deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy, set to an empty string to disable locking behaviour ce_provision_version: 2.x # Outputted by the _init role at the start of plays install_ansible: true # set to false to not install Ansible in a venv diff --git a/docs/roles/debian/aws_efs_client.md b/docs/roles/debian/aws_efs_client.md index 0711f04d9..5fc392261 100644 --- a/docs/roles/debian/aws_efs_client.md +++ b/docs/roles/debian/aws_efs_client.md @@ -46,7 +46,7 @@ _mount_state: present aws_efs_client: aws_profile: example # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set - version: 2.1.0 # version of AWS EFS utils to use + version: "{{ '1.35.0' if ansible_distribution_major_version | int < 12 else '2.1.0' }}" # 2.1.0 requires libssl v3 which is absent on Debian < 12 by default. build_suffix: "-1_all" # sometimes there is a suffix appended to the package name, e.g. `amazon-efs-utils-1.35.0-1_all.deb` deb_url: "" # provide an alternative location for the .deb package # See https://docs.ansible.com/ansible/latest/modules/mount_module.html diff --git a/docs/roles/debian/ce_deploy.md b/docs/roles/debian/ce_deploy.md index 90aa38931..743cbf8cd 100644 --- a/docs/roles/debian/ce_deploy.md +++ b/docs/roles/debian/ce_deploy.md @@ -8,7 +8,7 @@ Installs Code Enigma's deploy stack on a server. ```yaml --- _ce_deploy: - username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" + username: "{% if is_local %}ce-dev{% else %}deploy{% endif %}" ce_deploy: # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. diff --git a/docs/roles/debian/gitlab.md b/docs/roles/debian/gitlab.md index c02282fd2..f4b11638b 100644 --- a/docs/roles/debian/gitlab.md +++ b/docs/roles/debian/gitlab.md @@ -38,6 +38,7 @@ gitlab: ssl: # @see the 'ssl' role. Note that domain is autopopulated from server_name above. enabled: false # manual SSL handling disabled by default handling: selfsigned + replace_existing: false # Linux setup linux_user: git linux_group: git diff --git a/docs/roles/debian/php-fpm.md b/docs/roles/debian/php-fpm.md index 063e97276..443ffbf87 100644 --- a/docs/roles/debian/php-fpm.md +++ b/docs/roles/debian/php-fpm.md @@ -23,7 +23,7 @@ php: # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [ansible_facts.ansible_processor_nproc * 2, 64] | min] | max }}" + max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/install.sh b/install.sh index 1de23eae4..7ca8822d0 100755 --- a/install.sh +++ b/install.sh @@ -15,6 +15,7 @@ usage(){ /usr/bin/echo '--user: Ansible controller user (default: controller)' /usr/bin/echo '--config: Git URL to your ce-provision Ansible config repository (default: https://github.com/codeenigma/ce-provision-config-example.git)' /usr/bin/echo '--config-branch: branch of your Ansible config repository to use (default: 1.x)' + /usr/bin/echo '--no-firewall: skip installing iptables with ports 22, 80 and 443 open' /usr/bin/echo '--gitlab: install GitLab CE on this server (default: no, set to desired GitLab address to install, e.g. gitlab.example.com)' /usr/bin/echo '--letsencrypt: try to create an SSL certificate with LetsEncrypt (requires DNS pointing at this server for provided GitLab URL)' /usr/bin/echo '--aws: enable AWS support' @@ -49,6 +50,9 @@ parse_options(){ "--letsencrypt") LE_SUPPORT="yes" ;; + "--no-firewall") + FIREWALL="false" + ;; "--aws") AWS_SUPPORT="true" ;; @@ -71,9 +75,11 @@ CONFIG_REPO="https://github.com/codeenigma/ce-provision-config-example.git" CONFIG_REPO_BRANCH="1.x" GITLAB_URL="no" LE_SUPPORT="no" +FIREWALL="true" AWS_SUPPORT="false" IS_LOCAL="false" SERVER_HOSTNAME=$(hostname) +ANSIBLE_COMMAND="" # Parse options. parse_options "$@" @@ -90,6 +96,7 @@ if [ "$(id -u)" -ne 0 ] fi # Check we are using a compatible Linux distribution. +/usr/bin/echo "-------------------------------------------------" if [ "$ID" != "debian" ]; then if [ "$ID_LIKE" != "debian" ]; then /usr/bin/echo "ce-provision only supports Debian Linux and derivatives." @@ -132,7 +139,7 @@ fi git ca-certificates git-lfs \ openssh-client nfs-common stunnel4 \ python3-venv python3-debian \ - zip unzip gzip tar dnsutils + zip unzip gzip tar dnsutils net-tools /usr/bin/echo "-------------------------------------------------" # Install Ansible in a Python virtual environment. @@ -152,6 +159,8 @@ fi /usr/bin/echo "-------------------------------------------------" if [ ! -d "/home/$CONTROLLER_USER/ce-provision" ]; then /usr/bin/su - "$CONTROLLER_USER" -c "git clone --branch $VERSION https://github.com/codeenigma/ce-provision.git /home/$CONTROLLER_USER/ce-provision" + /usr/bin/su - "$CONTROLLER_USER" -c "git clone --branch $CONFIG_REPO_BRANCH $CONFIG_REPO /home/$CONTROLLER_USER/ce-provision/config" + /usr/bin/su - "$CONTROLLER_USER" -c "/usr/bin/ln -s /home/$CONTROLLER_USER/ce-provision/config/ansible.cfg /home/$CONTROLLER_USER/ce-provision/ansible.cfg" else /usr/bin/echo "ce-provision directory at /home/$CONTROLLER_USER/ce-provision already exists. Skipping." /usr/bin/echo "-------------------------------------------------" @@ -168,9 +177,13 @@ fi - name: Install ce-provision. ansible.builtin.import_role: name: debian/ce_provision + - name: Configure controller user. + ansible.builtin.import_role: + name: debian/user_provision EOL # Create vars file. /bin/cat >"/home/$CONTROLLER_USER/ce-provision/vars.yml" << EOL +--- _domain_name: ${SERVER_HOSTNAME} _ce_provision_data_dir: /home/${CONTROLLER_USER}/ce-provision/data _ce_provision_username: ${CONTROLLER_USER} @@ -205,6 +218,22 @@ ce_provision: enabled: true command: "/home/${CONTROLLER_USER}/ce-python/bin/ansible-galaxy collection install --force" on_calendar: "Mon *-*-* 04:00:00" +user_provision: + username: "${CONTROLLER_USER}" + home: "/home/${CONTROLLER_USER}" + create: false + create_home: false + update_password: always + utility_username: "${CONTROLLER_USER}" + utility_host: localhost + sudoer: true + groups: + - bypass2fa + ssh_keys: + - "{{ lookup('file', '/home/${CONTROLLER_USER}/ce-provision/data/localhost/home/${CONTROLLER_USER}/.ssh/id_ecdsa.pub') }}" + ssh_private_keys: [] + known_hosts: [] + known_hosts_hash: true firewall_config: purge: true firewall_state: started @@ -224,18 +253,24 @@ firewall_config: - "80" - "443" EOL + # Tell Ansible this is a Docker container if [ "$IS_LOCAL" = "true" ]; then - /usr/bin/su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-playbook --extra-vars \"{is_local: $IS_LOCAL, ansible_galaxy.extra_params: --force --roles-path /home/$CONTROLLER_USER/ce-provision/galaxy/roles}\" /home/$CONTROLLER_USER/ce-provision/provision.yml" + ANSIBLE_COMMAND="ansible-playbook --extra-vars \"{is_local: $IS_LOCAL}\" /home/$CONTROLLER_USER/ce-provision/provision.yml" else - /usr/bin/su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/ansible-playbook --extra-vars \"{ansible_galaxy.extra_params: --force --roles-path /home/$CONTROLLER_USER/ce-provision/galaxy/roles}\" /home/$CONTROLLER_USER/ce-provision/provision.yml" + ANSIBLE_COMMAND="ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" fi +# Configure ce-provision +/usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision && /home/$CONTROLLER_USER/ce-python/bin/$ANSIBLE_COMMAND" /usr/bin/rm "/home/$CONTROLLER_USER/ce-provision/provision.yml" + +# Install firewall +if [ "$FIREWALL" = "true" ]; then # Create playbook for firewall. -/usr/bin/echo "-------------------------------------------------" -/usr/bin/echo "Install firewall." -/usr/bin/echo "-------------------------------------------------" -/bin/cat >"/home/$CONTROLLER_USER/ce-provision/provision.yml" << EOL + /usr/bin/echo "-------------------------------------------------" + /usr/bin/echo "Install firewall." + /usr/bin/echo "-------------------------------------------------" + /bin/cat >"/home/$CONTROLLER_USER/ce-provision/provision.yml" << EOL --- - hosts: "localhost" become: true @@ -246,8 +281,13 @@ fi ansible.builtin.import_role: name: debian/firewall_config EOL -/usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision && /home/$CONTROLLER_USER/ce-python/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" -/usr/bin/echo "-------------------------------------------------" + /usr/bin/su - "$CONTROLLER_USER" -c "cd /home/$CONTROLLER_USER/ce-provision && /home/$CONTROLLER_USER/ce-python/bin/ansible-playbook /home/$CONTROLLER_USER/ce-provision/provision.yml" + /usr/bin/echo "-------------------------------------------------" +else + /usr/bin/echo "-------------------------------------------------" + /usr/bin/echo "Skipping firewall." + /usr/bin/echo "-------------------------------------------------" +fi # Install GitLab if [ "$GITLAB_URL" != "no" ]; then @@ -270,6 +310,8 @@ if [ "$GITLAB_URL" != "no" ]; then EOL # Create vars file. /bin/cat >"/home/$CONTROLLER_USER/ce-provision/vars.yml" << EOL +--- +_domain_name: ${SERVER_HOSTNAME} gitlab_runner: apt_origin: "origin=packages.gitlab.com/runner/gitlab-runner,codename=\${distro_codename},label=gitlab-runner" # used by apt_unattended_upgrades apt_signed_by: https://packages.gitlab.com/runner/gitlab-runner/gpgkey @@ -363,6 +405,9 @@ else /usr/bin/echo "GitLab not requested. Skipping." /usr/bin/echo "-------------------------------------------------" fi -/usr/bin/rm "/home/$CONTROLLER_USER/ce-provision/vars.yml" -/usr/bin/rm "/home/$CONTROLLER_USER/ce-provision/provision.yml" +# Tidy up if not a container +if [ "$IS_LOCAL" = "false" ]; then + /usr/bin/rm "/home/$CONTROLLER_USER/ce-provision/vars.yml" + /usr/bin/rm "/home/$CONTROLLER_USER/ce-provision/provision.yml" +fi /usr/bin/echo "DONE." diff --git a/roles/_exit/tasks/main.yml b/roles/_exit/tasks/main.yml index e6a844f4d..51d676278 100644 --- a/roles/_exit/tasks/main.yml +++ b/roles/_exit/tasks/main.yml @@ -53,3 +53,4 @@ ansible.builtin.file: path: "{{ _init.lock_file }}" state: absent + when: _init.lock_file | length > 0 diff --git a/roles/_init/README.md b/roles/_init/README.md index 0f40180e3..e619e5656 100644 --- a/roles/_init/README.md +++ b/roles/_init/README.md @@ -9,7 +9,10 @@ This is meant to ALWAYS be included as the first task of a play. If you include ## Default variables ```yaml --- -_ce_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" +# Set this variable to true to tell ce-provision it is running in a container. +is_local: false + +_ce_provision_username: "{% if is_local %}ce-dev{% else %}controller{% endif %}" _venv_path: "/home/{{ _ce_provision_username }}/ce-python" _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" @@ -25,8 +28,8 @@ _init: # This is used to detect if the playbook must re-run or not. vars_dirs: [] force_play: false - lock_file: /tmp/ce-provision-lock - deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy + lock_file: /tmp/ce-provision-lock # set to an empty string to disable locking behaviour + deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy, set to an empty string to disable locking behaviour ce_provision_version: 2.x # Outputted by the _init role at the start of plays install_ansible: true # set to false to not install Ansible in a venv diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml index 97a5ad1bf..5c2d85d42 100644 --- a/roles/_init/defaults/main.yml +++ b/roles/_init/defaults/main.yml @@ -1,5 +1,8 @@ --- -_ce_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" +# Set this variable to true to tell ce-provision it is running in a container. +is_local: false + +_ce_provision_username: "{% if is_local %}ce-dev{% else %}controller{% endif %}" _venv_path: "/home/{{ _ce_provision_username }}/ce-python" _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" @@ -15,8 +18,8 @@ _init: # This is used to detect if the playbook must re-run or not. vars_dirs: [] force_play: false - lock_file: /tmp/ce-provision-lock - deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy + lock_file: /tmp/ce-provision-lock # set to an empty string to disable locking behaviour + deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy, set to an empty string to disable locking behaviour ce_provision_version: 2.x # Outputted by the _init role at the start of plays install_ansible: true # set to false to not install Ansible in a venv diff --git a/roles/_init/tasks/main.yml b/roles/_init/tasks/main.yml index 3207c13f4..ac996f250 100644 --- a/roles/_init/tasks/main.yml +++ b/roles/_init/tasks/main.yml @@ -8,10 +8,13 @@ - name: Check for a ce-deploy lock file. ansible.builtin.stat: path: "{{ _init.deploy_lock_file }}" + when: _init.deploy_lock_file | length > 0 register: _ce_deploy_lock - name: Abort if ce-deploy lock file exists. - when: _ce_deploy_lock.stat.exists is defined and _ce_deploy_lock.stat.exists + when: + - _init.deploy_lock_file | length > 0 + - _ce_deploy_lock.stat.exists is defined and _ce_deploy_lock.stat.exists block: - name: Abort if ce-deploy lock file is found. ansible.builtin.debug: @@ -31,6 +34,7 @@ path: "{{ _init.lock_file }}" state: touch mode: 0644 + when: _init.lock_file | length > 0 # Load Linux services into ansible_facts.services. - name: Populate service facts diff --git a/roles/debian/ansible_galaxy/tasks/main.yml b/roles/debian/ansible_galaxy/tasks/main.yml index 5dde4a6df..106943f1d 100644 --- a/roles/debian/ansible_galaxy/tasks/main.yml +++ b/roles/debian/ansible_galaxy/tasks/main.yml @@ -13,7 +13,6 @@ - name: Install ansible-galaxy roles and/or collections. when: - _galaxy_requirements.stat.exists - - not is_local block: - name: Set up the ansible-galaxy command. ansible.builtin.set_fact: diff --git a/roles/debian/apt_repository/tasks/main.yml b/roles/debian/apt_repository/tasks/main.yml index df016422b..cef05098e 100644 --- a/roles/debian/apt_repository/tasks/main.yml +++ b/roles/debian/apt_repository/tasks/main.yml @@ -66,6 +66,7 @@ - apt_repository.signed_by is defined - apt_repository.signed_by | length > 0 - apt_repository.signed_by is url # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/url_test.html + - not is_local block: - name: Create script to refresh APT repository key. ansible.builtin.template: diff --git a/roles/debian/aws_efs_client/README.md b/roles/debian/aws_efs_client/README.md index 0711f04d9..5fc392261 100644 --- a/roles/debian/aws_efs_client/README.md +++ b/roles/debian/aws_efs_client/README.md @@ -46,7 +46,7 @@ _mount_state: present aws_efs_client: aws_profile: example # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set - version: 2.1.0 # version of AWS EFS utils to use + version: "{{ '1.35.0' if ansible_distribution_major_version | int < 12 else '2.1.0' }}" # 2.1.0 requires libssl v3 which is absent on Debian < 12 by default. build_suffix: "-1_all" # sometimes there is a suffix appended to the package name, e.g. `amazon-efs-utils-1.35.0-1_all.deb` deb_url: "" # provide an alternative location for the .deb package # See https://docs.ansible.com/ansible/latest/modules/mount_module.html diff --git a/roles/debian/ce_deploy/README.md b/roles/debian/ce_deploy/README.md index 90aa38931..743cbf8cd 100644 --- a/roles/debian/ce_deploy/README.md +++ b/roles/debian/ce_deploy/README.md @@ -8,7 +8,7 @@ Installs Code Enigma's deploy stack on a server. ```yaml --- _ce_deploy: - username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" + username: "{% if is_local %}ce-dev{% else %}deploy{% endif %}" ce_deploy: # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml index 2999edae9..b4af9748b 100644 --- a/roles/debian/ce_deploy/defaults/main.yml +++ b/roles/debian/ce_deploy/defaults/main.yml @@ -1,6 +1,6 @@ --- _ce_deploy: - username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" + username: "{% if is_local %}ce-dev{% else %}deploy{% endif %}" ce_deploy: # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden. diff --git a/roles/debian/duplicity/tasks/main.yml b/roles/debian/duplicity/tasks/main.yml index 4a06b5857..7f7182e90 100644 --- a/roles/debian/duplicity/tasks/main.yml +++ b/roles/debian/duplicity/tasks/main.yml @@ -101,7 +101,7 @@ - name: Copy include-exclude filelist. ansible.builtin.template: src: include-exclude-filelist.j2 - dest: "{{ duplicity.install_dir }}/etc/{{ dir.name }}-include-filelist" + dest: "{{ duplicity.install_dir }}/etc/{{ dir.name }}-include-exclude-filelist" owner: root group: root mode: 0644 diff --git a/roles/debian/gitlab/README.md b/roles/debian/gitlab/README.md index c02282fd2..f4b11638b 100644 --- a/roles/debian/gitlab/README.md +++ b/roles/debian/gitlab/README.md @@ -38,6 +38,7 @@ gitlab: ssl: # @see the 'ssl' role. Note that domain is autopopulated from server_name above. enabled: false # manual SSL handling disabled by default handling: selfsigned + replace_existing: false # Linux setup linux_user: git linux_group: git diff --git a/roles/debian/gitlab/defaults/main.yml b/roles/debian/gitlab/defaults/main.yml index f09d68f18..e2ed2ff05 100644 --- a/roles/debian/gitlab/defaults/main.yml +++ b/roles/debian/gitlab/defaults/main.yml @@ -25,6 +25,7 @@ gitlab: ssl: # @see the 'ssl' role. Note that domain is autopopulated from server_name above. enabled: false # manual SSL handling disabled by default handling: selfsigned + replace_existing: false # Linux setup linux_user: git linux_group: git diff --git a/roles/debian/gitlab/tasks/main.yml b/roles/debian/gitlab/tasks/main.yml index f98820592..00b55e162 100644 --- a/roles/debian/gitlab/tasks/main.yml +++ b/roles/debian/gitlab/tasks/main.yml @@ -87,20 +87,19 @@ src: gitlab-config.rb.j2 dest: /etc/gitlab/gitlab-config.rb -- name: Stop Gitlab. - ansible.builtin.command: /opt/gitlab/bin/gitlab-ctl stop - -- name: Reconfigure Gitlab. - ansible.builtin.command: /opt/gitlab/bin/gitlab-ctl reconfigure - - name: Let Gitlab know it's on Docker. ansible.builtin.copy: content: "gitlab-docker" dest: "/opt/gitlab/embedded/service/gitlab-rails/INSTALLATION_TYPE" mode: "0666" - when: - - is_local is defined - - is_local + when: is_local + +- name: Stop Gitlab. + ansible.builtin.command: /opt/gitlab/bin/gitlab-ctl stop + +- name: Reconfigure Gitlab. + ansible.builtin.command: /opt/gitlab/bin/gitlab-ctl reconfigure + when: not is_local - name: Copy startup script in place. ansible.builtin.template: @@ -110,9 +109,7 @@ group: root mode: "0555" force: true - when: - - is_local is defined - - is_local + when: is_local - name: Trigger overrides ansible.builtin.include_role: @@ -125,12 +122,12 @@ - name: Manually restart Gitlab/Docker. ansible.builtin.command: "/bin/sh /opt/gitlab-init.sh" - when: - - is_local is defined - - is_local + when: is_local - name: Ensure GitLab is started. ansible.builtin.command: /opt/gitlab/bin/gitlab-ctl start +# @TODO - this task fails in CI with GitHub Actions because PostGreSQL isn't running - name: Run the GitLab configuration script for config that cannot be set in gitlab.rb. - ansible.builtin.command: "gitlab-rails runner /etc/gitlab/gitlab-config.rb" + ansible.builtin.command: /opt/gitlab/bin/gitlab-rails runner /etc/gitlab/gitlab-config.rb + when: not is_local diff --git a/roles/debian/gitlab/templates/gitlab-config.rb.j2 b/roles/debian/gitlab/templates/gitlab-config.rb.j2 index d3e1690f1..4a0619be9 100644 --- a/roles/debian/gitlab/templates/gitlab-config.rb.j2 +++ b/roles/debian/gitlab/templates/gitlab-config.rb.j2 @@ -1,9 +1,6 @@ # Disable DSA keys ApplicationSetting.last.update(dsa_key_restriction: -1) -# Disable ECDSA keys -ApplicationSetting.last.update(ecdsa_key_restriction: -1) - # Enforce at least 2048 bits for RSA keys ApplicationSetting.last.update(rsa_key_restriction: 2048) @@ -24,4 +21,3 @@ ApplicationSetting.last.update(signup_enabled: false) # Disable standard sign-in dialogue Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: false) {% endif %} - diff --git a/roles/debian/gitlab_runner/tasks/main.yml b/roles/debian/gitlab_runner/tasks/main.yml index 745daadc9..017dd4afc 100644 --- a/roles/debian/gitlab_runner/tasks/main.yml +++ b/roles/debian/gitlab_runner/tasks/main.yml @@ -138,7 +138,7 @@ become: true - name: Restart gitlab-runner service. - ansible.builtin.service: + ansible.builtin.systemd_service: name: gitlab-runner state: restarted daemon_reload: true diff --git a/roles/debian/jitsi/tasks/main.yml b/roles/debian/jitsi/tasks/main.yml index ec485f6ba..cef38260b 100644 --- a/roles/debian/jitsi/tasks/main.yml +++ b/roles/debian/jitsi/tasks/main.yml @@ -27,7 +27,7 @@ DefaultTasksMax=65000 - name: Force systemd to reread configs. - ansible.builtin.systemd: + ansible.builtin.systemd_service: daemon_reload: true - name: Write interactive hostname value for automated installation. diff --git a/roles/debian/locales/tasks/main.yml b/roles/debian/locales/tasks/main.yml index 7cdf73af4..e6e8af3bf 100644 --- a/roles/debian/locales/tasks/main.yml +++ b/roles/debian/locales/tasks/main.yml @@ -33,4 +33,4 @@ - name: Set timezone. community.general.timezone: name: "{{ locales.timezone }}" - when: not is_local is defined or not is_local + when: not is_local diff --git a/roles/debian/mysql_server_mariadb/tasks/main.yml b/roles/debian/mysql_server_mariadb/tasks/main.yml index f76d88ca7..f463d95e8 100644 --- a/roles/debian/mysql_server_mariadb/tasks/main.yml +++ b/roles/debian/mysql_server_mariadb/tasks/main.yml @@ -33,12 +33,12 @@ - name: Update MySQL root password. ansible.builtin.shell: > mysql -NBe 'GRANT ALL ON *.* TO "root"@"%" IDENTIFIED BY "root" WITH GRANT OPTION;' - when: is_local is defined and is_local + when: is_local - name: Update MySQL ce-dev password. ansible.builtin.shell: > mysql -NBe 'GRANT ALL ON *.* TO "ce-dev"@"%" IDENTIFIED BY "ce-dev" WITH GRANT OPTION;' - when: is_local is defined and is_local + when: is_local - name: Ensure mysql can write data. ansible.builtin.file: diff --git a/roles/debian/mysql_server_oracle_ce/tasks/main.yml b/roles/debian/mysql_server_oracle_ce/tasks/main.yml index b427af88c..f42b70f5b 100644 --- a/roles/debian/mysql_server_oracle_ce/tasks/main.yml +++ b/roles/debian/mysql_server_oracle_ce/tasks/main.yml @@ -77,12 +77,12 @@ - name: Update MySQL root password. ansible.builtin.shell: > mysql -NBe 'GRANT ALL ON *.* TO "root"@"%" IDENTIFIED BY "root" WITH GRANT OPTION;' - when: is_local is defined and is_local + when: is_local - name: Update MySQL ce-dev password. ansible.builtin.shell: > mysql -NBe 'GRANT ALL ON *.* TO "ce-dev"@"%" IDENTIFIED BY "ce-dev" WITH GRANT OPTION;' - when: is_local is defined and is_local + when: is_local - name: Ensure MySQL can write data. ansible.builtin.file: diff --git a/roles/debian/nginx/templates/drupal10.j2 b/roles/debian/nginx/templates/drupal10.j2 index fee75d6c5..a4dfa5449 100644 --- a/roles/debian/nginx/templates/drupal10.j2 +++ b/roles/debian/nginx/templates/drupal10.j2 @@ -81,7 +81,7 @@ location ~ ^/(index|cron|modules\/statistics\/statistics|core\/modules\/statisti try_files @phpprocess @phpprocess; } # Allow install/update for local stack. -{% if is_local is defined and is_local %} +{% if is_local %} location ~ ^/(install|update)\.php$ { try_files @phpprocess @phpprocess; } diff --git a/roles/debian/nginx/templates/drupal_common.j2 b/roles/debian/nginx/templates/drupal_common.j2 index 770203509..3e406dd6d 100644 --- a/roles/debian/nginx/templates/drupal_common.j2 +++ b/roles/debian/nginx/templates/drupal_common.j2 @@ -72,7 +72,7 @@ location ~ ^/(index|cron|modules\/statistics\/statistics|core\/modules\/statisti try_files @phpprocess @phpprocess; } # Allow install/update for local stack. -{% if is_local is defined and is_local %} +{% if is_local %} location ~ ^/(install|update)\.php$ { try_files @phpprocess @phpprocess; } diff --git a/roles/debian/nginx/templates/mautic.j2 b/roles/debian/nginx/templates/mautic.j2 index 92845e808..76de23a5c 100644 --- a/roles/debian/nginx/templates/mautic.j2 +++ b/roles/debian/nginx/templates/mautic.j2 @@ -60,7 +60,7 @@ location ~ /(addons|plugins)/.*/Assets/ { } # Allow index_dev/upgrade for local stack. -{% if is_local is defined and is_local %} +{% if is_local %} location ~ ^/(index_dev|upgrade)\.php$ { try_files @phpprocess @phpprocess; } diff --git a/roles/debian/php-fpm/README.md b/roles/debian/php-fpm/README.md index 063e97276..443ffbf87 100644 --- a/roles/debian/php-fpm/README.md +++ b/roles/debian/php-fpm/README.md @@ -23,7 +23,7 @@ php: # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [ansible_facts.ansible_processor_nproc * 2, 64] | min] | max }}" + max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/roles/debian/php_blackfire/defaults/main.yml b/roles/debian/php_blackfire/defaults/main.yml index 323e94a55..0e0e5c8a9 100644 --- a/roles/debian/php_blackfire/defaults/main.yml +++ b/roles/debian/php_blackfire/defaults/main.yml @@ -6,3 +6,5 @@ blackfire: agent_server_token: "" agent_client_id: "" agent_client_token: "" + agent_cli_config_path: /home/ce-dev/.blackfire.ini + agent_cli_config_owner: ce-dev diff --git a/roles/debian/php_blackfire/tasks/main.yml b/roles/debian/php_blackfire/tasks/main.yml index d7e513f0f..e093d607c 100644 --- a/roles/debian/php_blackfire/tasks/main.yml +++ b/roles/debian/php_blackfire/tasks/main.yml @@ -67,13 +67,13 @@ - name: Generate agent CLI configuration. ansible.builtin.template: src: blackfire.ini.j2 - dest: "/home/vagrant/.blackfire.ini" - owner: vagrant - group: vagrant + dest: "{{ blackfire.agent_cli_config_path }}" + owner: "{{ blackfire.agent_cli_config_owner }}" + group: "{{ blackfire.agent_cli_config_owner }}" mode: 0644 when: - blackfire.enable - - is_local is defined and is_local + - is_local - name: Trigger overrides ansible.builtin.include_role: diff --git a/roles/debian/postfix/tasks/main.yml b/roles/debian/postfix/tasks/main.yml index 83c7ecec6..94d433c28 100644 --- a/roles/debian/postfix/tasks/main.yml +++ b/roles/debian/postfix/tasks/main.yml @@ -99,7 +99,6 @@ state: directory when: - postfix.ce_dev_delivery_mode == "host" - - is_local is defined - is_local - name: Configure procmail to NULL. @@ -110,9 +109,7 @@ group: root mode: "0644" force: true - when: - - is_local is defined - - is_local + when: is_local - name: Configure procmail to host directory. ansible.builtin.template: @@ -124,7 +121,6 @@ force: true when: - postfix.ce_dev_delivery_mode == "host" - - is_local is defined - is_local - name: Configure procmail to local. @@ -133,7 +129,6 @@ state: absent when: - postfix.ce_dev_delivery_mode == "local" - - is_local is defined - is_local # Needed for Docker. diff --git a/roles/debian/postfix/templates/main.cf.j2 b/roles/debian/postfix/templates/main.cf.j2 index e79389db4..6addd3c23 100644 --- a/roles/debian/postfix/templates/main.cf.j2 +++ b/roles/debian/postfix/templates/main.cf.j2 @@ -52,7 +52,7 @@ smtpd_tls_key_file = {{ postfix.ssl.smtp_tls_key_file }} smtpd_tls_CApath = {{ postfix.ssl.smtp_tls_CApath }} smtpd_tls_CAfile = {{ postfix.ssl.smtp_tls_CAfile }} {% endif %} -{% if (is_local is defined) and is_local %} +{% if is_local %} # Force all mail to ce-dev user. virtual_alias_domains = "" virtual_alias_maps = static:ce-dev diff --git a/roles/debian/user_deploy/defaults/main.yml b/roles/debian/user_deploy/defaults/main.yml index dc22f8164..1d83a8cd7 100644 --- a/roles/debian/user_deploy/defaults/main.yml +++ b/roles/debian/user_deploy/defaults/main.yml @@ -1,5 +1,5 @@ --- -_user_deploy_username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}" +_user_deploy_username: "{% if is_local %}ce-dev{% else %}deploy{% endif %}" user_deploy: # This sets both username and main group. # If you are using ce-deploy to deploy code this must match the `deploy_user` variable diff --git a/roles/debian/user_provision/defaults/main.yml b/roles/debian/user_provision/defaults/main.yml index 7d07a8cc2..f10896c32 100644 --- a/roles/debian/user_provision/defaults/main.yml +++ b/roles/debian/user_provision/defaults/main.yml @@ -1,5 +1,5 @@ --- -_user_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}" +_user_provision_username: "{% if is_local %}ce-dev{% else %}controller{% endif %}" user_provision: # This sets both username and main group. username: "{{ _user_provision_username }}"